liquid_feedback_frontend
changeset 1511:f1258993d993
Fixed issue with oauth/session endpoint and samesite cookies
| author | bsw |
|---|---|
| date | Thu Aug 20 13:44:54 2020 +0200 (2020-08-20) |
| parents | 2b4b243f625e |
| children | 37a366b86b49 |
| files | app/main/_filter/20_session.lua app/main/_prefork/10_init.lua app/main/role/_action/switch.lua model/session.lua |
line diff
1.1 --- a/app/main/_filter/20_session.lua Tue Aug 18 19:54:45 2020 +0200 1.2 +++ b/app/main/_filter/20_session.lua Thu Aug 20 13:44:54 2020 +0200 1.3 @@ -1,14 +1,20 @@ 1.4 -local cookie = request.get_cookie{ name = config.cookie_name or "liquid_feedback_session" } 1.5 +local cookie = request.get_cookie{ name = config.cookie_name } 1.6 +local cookie_samesite = request.get_cookie{ name = config.cookie_name_samesite } 1.7 + 1.8 +if 1.9 + cookie and cookie ~= cookie_samesite 1.10 + and not (request.get_module() == "oauth" and request.get_view() == "session") 1.11 +then 1.12 + slot.put_into("error", _"Cookie error. Try restarting your web browser and login again.") 1.13 + return 1.14 +end 1.15 1.16 if cookie then 1.17 app.session = Session:by_ident(cookie) 1.18 end 1.19 if not app.session then 1.20 app.session = Session:new() 1.21 - request.set_cookie{ 1.22 - name = config.cookie_name or "liquid_feedback_session", 1.23 - value = app.session.ident 1.24 - } 1.25 + app.session:set_cookie() 1.26 end 1.27 1.28 locale.set{ lang = app.session.lang or config.default_lang or "en" }
2.1 --- a/app/main/_prefork/10_init.lua Tue Aug 18 19:54:45 2020 +0200 2.2 +++ b/app/main/_prefork/10_init.lua Thu Aug 20 13:44:54 2020 +0200 2.3 @@ -60,6 +60,14 @@ 2.4 config.check_delegations_default = "confirm" 2.5 end 2.6 2.7 +if config.cookie_name == nil then 2.8 + config.cookie_name = "liquid_feedback_session" 2.9 +end 2.10 + 2.11 +if config.cookie_name_samesite == nil then 2.12 + config.cookie_name_samesite = config.cookie_name .. "_samesite" 2.13 +end 2.14 + 2.15 if config.ldap == nil then 2.16 config.ldap = {} 2.17 end
3.1 --- a/app/main/role/_action/switch.lua Tue Aug 18 19:54:45 2020 +0200 3.2 +++ b/app/main/role/_action/switch.lua Thu Aug 20 13:44:54 2020 +0200 3.3 @@ -31,10 +31,8 @@ 3.4 3.5 app.session:destroy() 3.6 3.7 - request.set_cookie{ 3.8 - name = config.cookie_name or "liquid_feedback_session", 3.9 - value = session.ident 3.10 - } 3.11 + session:set_cookie() 3.12 + 3.13 elseif app.session.real_member_id then 3.14 local session = Session:new() 3.15 session.member_id = app.session.real_member_id 3.16 @@ -42,10 +40,8 @@ 3.17 3.18 app.session:destroy() 3.19 3.20 - request.set_cookie{ 3.21 - name = config.cookie_name or "liquid_feedback_session", 3.22 - value = session.ident 3.23 - } 3.24 + session:set_cookie() 3.25 + 3.26 end 3.27 3.28 if config.meta_navigation_home_url then
4.1 --- a/model/session.lua Tue Aug 18 19:54:45 2020 +0200 4.2 +++ b/model/session.lua Thu Aug 20 13:44:54 2020 +0200 4.3 @@ -40,6 +40,18 @@ 4.4 return session 4.5 end 4.6 4.7 +function Session.object:set_cookie() 4.8 + request.set_cookie{ 4.9 + name = config.cookie_name, 4.10 + value = self.ident, 4.11 + samesite = "none" 4.12 + } 4.13 + request.set_cookie{ 4.14 + name = config.cookie_name .. "_samesite", 4.15 + value = self.ident 4.16 + } 4.17 +end 4.18 + 4.19 function Session.object:additional_secret_for(purpose) 4.20 local use_hash = false 4.21 local idx = secret_purposes[purpose]